From: Matt Foster (matt.foster@blade-software.com)
Date: Fri Mar 12 2004 - 11:33:28 EST
Hi List,
We have received quite a lot of emails from people on this list wanting to
understand more about IDS Informer and so I thought one generic post here would
ensure that the information gets to the right people
IDS Informer typically runs on a Windows laptop with two network cards. The
cards when plugged into a network become virtual PC's and network card one can
send traffic to network card two, when it receives the traffic it then responds
to network card one therefore creating a stateful traffic stream. Any device on
the network monitoring would believe that two separate computers are talking.
IDS Informer has a database of attack files, and tests can be configured using
any source and destination ip addresses and ports, you can use, lists, ranges
and random for each of the fields. Time delays of up to one hour can be added
between each attack as they are ran or between each packet within an attack.
IDS Informer has a number of plug-ins to allow additional capability, there is a
command line interface for scripting tests and a development kit to allow the
conversation of 3rd party capture files into the Informer format. In addition
there is also an evasion plug-in which applies techniques such as fragmentation
and sending packets out of sequence to any traffic passing through it, this can
be used with IDS Informer or can be used in a standalone mode.
Firewall Informer provides very much the same capabilities as IDS Informer
however it transmits network protocol files rather than attack traffic.
All in all the products offer users a self contained testing system running from
a normal Windows laptop with two network cards, you do not need a real target
host to connect and this means that a wide range of testing can be performed
quickly, easily and safely in production environments.
Regards
Matt
_____________________________________
Matt Foster
Blade-Software Inc.
www.blade-software.com
Security Verification Management Solutions
______________________________________
-----Original Message-----
From: Frederic Charpentier [mailto:fcharpentier@xmcopartners.com]
Sent: 11 March 2004 09:30
To: pen-test@securityfocus.com
Subject: Re: IDS Testing
hi.
Some tools are ok to test an IDS, but this is not the best way to do that.
A tool will generate stupids triggers to wake up your IDS, like old CGIs
attacks et low-level tcp/ip tricks.
The best way is to be understand the patterns you set up in your IDS.
No matters that some stupid guys performs ping-attacks or silly cgis
attacks !!
* Try bufferoverflow/shellcodes patterns, and do simple test like :
copy/paste a shellcode into a telnet session.
* For http intrusion detection, detecting IIS nimda attacks is not
efficient, try to trigger your IDS with XSS/SQL-Injection techniques is
much more efficient:
sample :
http://website/script?req=